Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Made Public In OpenSSH Encryption

Posted by timothy on from the days-to-whom dept.

alimo20 writes "Researchers at the Royal Holloway, University of London have discovered a flaw in Version 4.7 of OpenSSH on Debian/GNU Linux. According to ISG lead professor Kenny Patterson, an attacker has a 2^{-18} (that is, one in 262,144) chance of success. Patterson tells that this is more significant than past discoveries because 'This is a design flaw in OpenSSH. The other vulnerabilities have been more about coding errors.' The vulnerability is possible by a man-in-the-middle intercepting blocks of encrypted material as it passes. The attacker then re-transmits the data back to the server and counts the number of bytes before the server to throws error messages and disconnects the attacker. Using this information, the attacker can work backwards to figure out the first 4 bytes of data before encryption. 'The attack relies on flaws in the RFC (Request for Comments) internet standards that define SSH, said Patterson. ... Patterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days.'"

20 of 231 comments (clear)

  1. Good Thing by neoform · · Score: 5, Funny

    Whew. Glad I use Telnet.

    --
    MABASPLOOM!
    1. Re:Good Thing by timeOday · · Score: 5, Funny

      But telnet transmits your credentials unencrypted! To be super-secure I simply avoid transmitting them in the first place...

      root@host# nc -l -p 1999 -c bash

      user@otherhost: nc otherhost 1999
      whoami
      rm -fR /

      (PS don't actually do this)

  2. OKay by JamesP · · Score: 2, Funny

    The 2^-18 is _really_scary_

    The 'first 4 bytes', not so much.

    So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

    --
    how long until /. fixes commenting on Chrome?
    1. Re:OKay by Anonymous Coward · · Score: 2, Funny

      The 2^-18 is _really_scary_

      The 'first 4 bytes', not so much.

      So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

      Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar.

      captcha: rotator

    2. Re:OKay by swillden · · Score: 4, Funny

      The 2^-18 is _really_scary_

      The 'first 4 bytes', not so much.

      So, meh. Of course true hardcore cryptanalysts are sure to be already ditching OpenSSH or maybe piping it through GPG first.

      Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar.

      Allow me to translate:

      $ echo "Fuck gubfr onfgneqf, ebg13 vf tbbq rabhtu sbe nalbar." | caesar
      Shpx those bastards, rot13 is good enough for anyone.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. Re:Not much of a threat... by Anonymous Coward · · Score: 1, Funny

    Get off my lawn!

  4. Re:Not much of a threat... by cptnapalm · · Score: 2, Funny

    This is not your lawn. The property line clearly indicates...

    wait a minute...

    you are on MY LAWN!

  5. Re:Not much of a threat... by .sig · · Score: 3, Funny

    Anyone else remember when stone tablets were the usual target, and cave drawings considered "safe"?

    --
    -Space for rent
  6. Re:Hmm.... four bytes... by Anonymous Coward · · Score: 1, Funny

    FU!\0

  7. Re:Old version = old news by Prof.Phreak · · Score: 4, Funny

    O_o

    $ ssh -V
    OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

    --

    "If anything can go wrong, it will." - Murphy

  8. Re:Design flaw by Culture20 · · Score: 4, Funny

    Why does this only effect Debian?

    Damnit, it's affect.

    Not if the openSSH flaw were causing Debian to exist. Then it would be effecting Debian.
    http://crofsblogs.typepad.com/english/2005/08/effect_as_a_ver.html

  9. Re:SSH standard by SoupGuru · · Score: 3, Funny

    Also, dude, chink is not the preferred nomenclature. Asian-American, please.

    --
    What doesn't kill you only delays the inevitable
  10. Re:SSH standard by FMZ · · Score: 5, Funny

    Hmmm.... k. Seems there's an Asian-American in the armor of OpenSSH

  11. Re:Wait, what? by lgw · · Score: 3, Funny

    All those hippie OSs look the same. Take a bath, cut your hair, and use a secure OS like WIndows.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  12. Re:Old version = old news by RazzleDazzle · · Score: 4, Funny

    More importantly: can you send me the output of "ifconfig" and "lynx -dump http://www.ipchicken.com/"

    --
    ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
  13. Re:Old version = old news by Anonymous Coward · · Score: 1, Funny

    Heh, did you know when you type your ip address on slashdot it comes up as stars? Look: this is mine ***.**.***.** try it! it's fun! :)

  14. Re:Old version = old news by Tubal-Cain · · Score: 2, Funny
    Here's the lynx output:

    The program 'lynx' can be found in the following packages:
    * lynx-cur
    * lynx-cur-wrapper
    Try: sudo apt-get install <selected package>
    bash: lynx: command not found

  15. Re:Old version = old news by X0563511 · · Score: 4, Funny

    eix-sync && emerge -auDNtv world; sleep 1374261893645973165479613; echo "FINALLY!"

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  16. Re:Old version = old news by jonadab · · Score: 2, Funny

    Sure, no problem:

    nathan@groundhog:~$ ifconfig
    bash: ifconfig: command not found
    nathan@groundhog:~$ lynx -dump http://www.ipchicken.com/
    bash: lynx: command not found
    nathan@groundhog:~$

    Anything else I can do for you?

    --
    Cut that out, or I will ship you to Norilsk in a box.
  17. Re:SSH standard by Anonymous Coward · · Score: 1, Funny

    Is the armor a giant flying robot?